<html><head></head><body><h2>BWCTL TCP/UDP Port Usage and Firewall Configuration</h2>

<p>BWCTL uses three different sets of ports:</p>

<ol>
    <li>Main daemon listening port for control connection (<em>Default: TCP/4823</em>)</li>
    <br>
    <dl>
        Defined using the <em>port</em> portion of the <em>src_node</em>
        configuration option from
        <a href="bwctld.conf.man.html">bwctld.conf</a>
        <p>For example, to enable this on a typical Red Hat Enterprise Linux system,
        you would need to add the following line to /etc/sysconfig/iptables:</p>
<pre>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4823 -j ACCEPT
</pre>
        <p>
        This should be added somewhere <b>after</b> the line that allows
        ESTABLISHED and RELATED connections through.</p>
        <p>
        This does not use the system-config-securitylevel script from
        Redhat. I have not been able to get that to do all the things I needed.
        </p>
    </dl>

    <li>bwctld peer connections (<em>Default: TCP/ephemeral range</em>)</li>
    <br>
    <dl>
        Defined using the <em>peer_port</em> configuration option from
        <a href="bwctld.conf.man.html">bwctld.conf</a>
        <p>If you specified <em>peer_port</em> as
        9910-9950, you would then need to enable this range in your
        firewall configuration. (If you do not specify a range, BWCTL will
        only work reliably if you have open access for the entire ephemeral
        port range.)</p>
        <p>On a typical Red Hat Enterprise Linux system,
        you would need to add the following line to /etc/sysconfig/iptables
        given this range:</p>
<pre>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9910:9950 -j ACCEPT
</pre>
        <p>
        This should be added somewhere <b>after</b> the line that allows
        ESTABLISHED and RELATED connections through.</p>
        <p>
        This does not use the system-config-securitylevel script from
        Redhat. I have not been able to get that to do all the things I needed.
        </p>
    </dl>

    <li>Test Connections (<em>Default: Tool Specific</em>)</li>
    <br>
    <dl>
        Each throughput tester can have its own port defined in <a
        href="bwctld.conf.man.html">bwctld.conf</a>. The configuration option
        for each tester takes the form testername_port. For example, to set the
        <b>Thrulay</b> port, you would use the option thrulay_port. The following
        example would apply to any of the testers, just changing the
        appropriate configuration option.

        <p>If you specified <em>iperf_port</em> as
        5001-5004, you would then need to enable this range in your
        firewall configuration. If you allow UDP tests (in your
        <a href="bwctld.limits.man.html">bwctld.limits</a> file),
        you will need to open up the UDP ports. Likewise for TCP.
        The default is 5001 for TCP and UDP tests, and you will only be
        able to test if you open the ports specified.</p>
        <p>On a typical Red Hat Enterprise Linux system,
        you would need to add the following lines to /etc/sysconfig/iptables
        given this range:</p>
<pre>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5001:5004 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p ucp --dport 5001:5004 -j ACCEPT
</pre>
        <p>
        This should be added somewhere <b>after</b> the line that allows
        ESTABLISHED and RELATED connections through.</p>
        <p>
        This does not use the system-config-securitylevel script from
        Redhat. I have not been able to get that to do all the things I needed.
        </p>
    </dl>
</ol>
<h3>Example RHEL 4 /etc/sysconfig/iptables file</h3>
<pre>*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ssh
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# bwctld listen port (src_node)
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4823 -j ACCEPT
# bwctld peer_ports
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9910:9950 -j ACCEPT
# bwctl/iperf_port
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5001 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p ucp --dport 5001 -j ACCEPT
# reject anything that has not matched
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
</pre>
</body></html>
